How to Use Enrolled Devices

Once you have enrolled in 2FA, you will be prompted for an enrolled second-factor device whenever you log in to a website that’s protected by WebAccess. You will be able to choose from the options that are available to you based on the devices that you’ve enrolled. The options will be displayed at the WebAccess screen as you log in.

The information below explains how the various device options will work when you’re logging in.

It is strongly recommended that you enroll at least two devices in case there is a problem with your primary device. For instance, if you have both your cell phone and office landline enrolled, then you’ll still be able to work once you arrive on campus if you leave your phone at home.

Smartphone (with App Capabilities)

A smartphone (with the Duo Mobile app installed and active) provides the easiest and most secure authentication option (a push notification), as well as the greatest number of authentication options. It is, in fact, the recommended device. Having said that, 2FA supports every user—even those without cell phones.

Duo PushDuo Security is Penn State’s 2FA partner, and with the Duo Mobile app installed and active, requesting a push notification at the WebAccess screen will allow for simple, one-tap authentication from your phone. This requires an Internet connection. The Duo Security video below shows how easy it is to use Duo Push to log in. Note: This is a general login example, not an actual example using WebAccess.

PasscodeUsing the Duo Mobile app, you can generate a passcode to be entered at the WebAccess screen. This option is similar to using a legacy hardware token and will work even without an Internet connection and/or cellular service.

Phone Call Selecting a phone call to your smartphone will result in an automated call from Duo Security. Follow the simple phone prompts to authenticate.

SMS (Text) PasscodesAt the WebAccess screen, requesting SMS (text) passcodes will result in a text message being sent to your phone with 10 one-time use passcodes, one of which can be entered into the passcode field on the WebAccess screen to authenticate. (The other passcodes can be used at a later time.)

Mobile Phone without App Capabilities

Phone Call Selecting a phone call to your cell phone will result in an automated call from Duo Security. Follow the simple phone prompts to authenticate.

SMS (Text) Passcodes (if phone can receive text messages) At the WebAccess screen, requesting SMS (text) passcodes will result in a text message being sent to your phone with 10 one-time use passcodes, one of which can be entered into the passcode field on the WebAccess screen to authenticate. (The other passcodes can be used at a later time.)

Tablet

A tablet with the Duo Mobile app installed and active provides some of the same authentication options as a smartphone:

Duo PushWith the Duo Mobile app installed and active, requesting a push notification at the WebAccess screen will allow for one-tap authentication. This requires an Internet connection.

PasscodeUsing the Duo Mobile app, you can generate a passcode to be entered at the WebAccess screen. This option is similar to using a legacy hardware token on the WebAccess screen and will work even without an Internet connection.

Landline

A landline will work for 2FA; however, because of the stationary nature of the phone, it is strongly recommended that you enroll more than just one landline in the service. Even two landlines (one at home and one at the office) is better than just a single landline.

Phone Call Selecting a phone call to your landline will result in an automated call from Duo Security. Follow the simple phone prompts to authenticate.

Duo Token

Most people will not want (or need) a Duo Token because using a phone is the easiest way to use Penn State’s Two-Factor Authentication (2FA) service. Only in special cases when a phone cannot be used for the service should a hardware token (specifically, a Duo token) be used.

Only a Duo Token will work with 2FA: other legacy hardware tokens (such as Vasco tokens) will not work with 2FA.

Passcode Generate a passcode by tapping the button on the token, and then enter the number in the passcode box on the WebAccess screen.

Note: If a user has an accessibility issue that cannot be negated by using Two-Factor Authentication (2FA) with a phone, then there are accessible device options available, specifically a Yubikey, which connects to a USB port and has a “button” on the device for one-touch authentication.